Time for a password refresh!
Within the past two weeks, over 1 million decrypted passwords for some of the most popular mail and social media sites have been placed for sale on the Deep Web. What this means for you is that there is a chance that your information is unknowingly available for sale. A few of the sites involved in this data sale include gMail, Yahoo, LinkedIn, Tumblr, and Last.FM.
An Australian security researcher has instituted a Website to allow you to see if any of your eMail accounts or usernames have been involved in a breach incident. This site can be found at https://haveibeenpwned.com/
It is very simple to mitigate the threat associated with a password leak; log into your account and change your password. However, careful thought should go into setting up your password and considerations should be made if you use the same password across multiple sites. If you reuse your passwords across multiple sites, then from a security standpoint, all of the passwords should be changed as it is not unusual for attackers to attempt the same credentials gained in a breach across various services. As for setting up your password, simple is not always better. Nonetheless, overcomplexity in password design just makes it more difficult for you to access your account. A strong balance between security and usability is necessary, as if your password makes it more difficult for you to remember, and in turn slows down the access of your account, then it is not a good fit.
If your password contains an actual word, it can often be cracked quickly. The best recommendation is to use long passwords with a mix of Upper Case, Lower Case, Numbers, and special characters. While previously the recommendation was 8 characters as a minimum, current technology using advanced hardware and software can effectively determine shorter passwords quickly. Currently, from a security standpoint, the use of 10 characters or more is not uncommon, but the question is frequently how does one remember a password of that length.
Passwords do not need to look like I4t3|<4(3!, and can frequently be made more secure while creating them in a method can be readily remembered. For example, if your name is Cathy Smith, you certainly would not want to use the password of Cathysmith; however, you could, effectively use number and character substitution, or munging to make your password that simple. Using substitution, your password could be C@hySm1th! and have a greater chance of surviving a password based attack. An additional consideration is the frequency in which you change your password. Depending on the sensitivity of your data, changing your password between 60 and 90 days would assist in further protecting your information.
Though previously, we had made recommendations that users utilize password managers to remember complex passwords, they too have unfortunately been breached due to weaker than expected security. Based on a recent article from TWCN, a key component used by many popular password manager applications possessed a security weakness, meaning your passwords were saved in a format that was easily reversible. While it is apparent that the password managers have fixed the issue now that the weakness has been discovered, it would be advantageous, for those of you using password managers before March 1, 2017, to change your passwords as soon as possible, as historic information has the potential to be compromised.